Finn Klessascheck,Stephan A. Fahrenkrog-Petersen,Jan Mendling,Luise Pufahl

2024-09-12

Abstract:To promote sustainable business practices, and to achieve climate neutrality by 2050, the EU has developed the taxonomy of sustainable activities, which describes when exactly business practices can be considered sustainable. While the taxonomy has only been recently established, progressively more companies will have to report how much of their revenue was created via sustainably executed business processes. To help companies prepare to assess whether their business processes comply with the constraints outlined in the taxonomy, we investigate in how far these criteria can be used for conformance checking, that is, assessing in a data-driven manner, whether business process executions adhere to regulatory constraints. For this, we develop a few-shot learning pipeline to characterize the constraints of the taxonomy with the help of an LLM as to the process dimensions they relate to. We find that many constraints of the taxonomy are useable for conformance checking, particularly in the sectors of energy, manufacturing, and transport. This will aid companies in preparing to monitor regulatory compliance with the taxonomy automatically, by characterizing what kind of information they need to extract, and by providing a better understanding of sectors where such an assessment is feasible and where it is not.

Computers and Society,Databases

Sridevi Saralaya,Vishwas Saralaya,Rio D’Souza

DOI: https://doi.org/10.1007/978-3-319-93940-7_3

2018-07-27

Digital Business

Abstract:Business Process Compliance refers to the act of conformance of a business process with policies, regulations and rules that govern the organization. An imperative requirement of business processes in various fields such as Health care, Insurance, Finance and Online Trade is adherence to a large number of compliance requirements, constraints and quality policies from various sources. Lack of compliance may result in huge compensations and loss of customers and reputation. Compliance issues can be handled either retrospectively i.e. after non-complaint situations are observed or they can be handled proactively i.e. anticipation of possibilities leading to non-compliant circumstances during process execution which may prevent occurrence of deviations and thus save upon compensation effects. Hence compliance management tasks need to be incorporated into each phase of the life-cycle of a business process. In this article we discuss contemporary activities related to lifecycle of compliance management in business processes which involve compliance elicitation, compliance formalization, compliance implementation, compliance verification and compliance improvement based on existing literature. Compliance Monitoring Functionalities (CMFs) which may be used to categorize and also assess existing compliance management approaches and frameworks are also discussed.

Nigel Adams,Adriano Augusto,Michael Davern,Marcello La Rosa

DOI: https://doi.org/10.48550/arXiv.2203.14904

2022-03-24

General Economics

Abstract:Banks play an intrinsic role in any modern economy, recycling capital from savers to borrowers. They are heavily regulated and there have been a significant number of well publicized compliance failings in recent years. This is despite Business Process Compliance (BPC) being both a well researched domain in academia and one where significant progress has been made. This study seeks to determine why Australian banks find BPC so challenging. We interviewed 22 senior managers from a range of functions within the four major Australian banks to identify the key challenges. Not every process in every bank is facing the same issues, but in processes where a bank is particularly challenged to meet its compliance requirements, the same themes emerge. The compliance requirement load they bear is excessive, dynamic and complex. Fulfilling these requirements relies on impenetrable spaghetti processes, and the case for sustainable change remains elusive, locking banks into a fail-fix cycle that increases the underlying complexity. This paper proposes a conceptual framework that identifies and aggregates the challenges, and a circuit-breaker approach as an "off ramp" to the fail-fix cycle.

Hugo A. López,Thomas T. Hildebrandt

2024-10-14

Abstract:Digitalization efforts often face a key challenge: business processes must not only be efficient in achieving their goals but also adhere to legal regulations. Business process compliance refers to aligning processes with these regulations. Numerous frameworks have been developed to address this, with the earliest dating back to 1981. This study focuses on rigorous frameworks using formal methods to verify or ensure compliance. We conducted a systematic literature review (SLR) on process compliance frameworks based on formal models. Our goal was to assess the current state of research on process model compliance and identify gaps and opportunities for future work. Starting with 5018 candidate studies from 1981 to the establishment of GDPR, we selected 46 primary studies. These frameworks were categorized by their phases, the languages used for processes and compliance, and their reasoning techniques. We also examined their practical applicability, the case studies they were tested on, the types of users involved, and the skills needed for compliance. Also, we assessed the maturity of each framework. Our findings reveal strong consensus around verification techniques as central to process compliance, though there is less agreement on the earlier and later phases of compliance. Model checking is the dominant technique, but the compliance and process languages have evolved. Most frameworks are still conceptual with prototype implementations, often failing to account for compliance professionals like legal experts or law changes. In conclusion, there is a need for comprehensive empirical studies to better understand the anatomy and maturity of regulatory compliance frameworks, and for robust evaluation methods to benchmark these frameworks. This review offers valuable insights for researchers and practitioners in process compliance.

Software Engineering

Ho-Pun Lam,Mustafa Hashmi,Akhil Kumar

DOI: https://doi.org/10.48550/arXiv.2012.13219

2020-12-24

Abstract:Binary "YES-NO" notions of process compliance are not very helpful to managers for assessing the operational performance of their company because a large number of cases fall in the grey area of partial compliance. Hence, it is necessary to have ways to quantify partial compliance in terms of metrics and be able to classify actual cases by assigning a numeric value of compliance to them. In this paper, we formulate an evaluation framework to quantify the level of compliance of business processes across different levels of abstraction (such as task,trace and process level) and across multiple dimensions of each task (such as temporal, monetary, role-, data-, and quality-related) to provide managers more useful information about their operations and to help them improve their decision making processes. Our approach can also add social value by making social services provided by local, state and federal governments more flexible and improving the lives of citizens.

Artificial Intelligence,Logic in Computer Science

Hugo A. López,Søren Debois,Tijs Slaats,Thomas T. Hildebrandt

DOI: https://doi.org/10.1007/978-3-030-45234-6_19

2020-01-01

Abstract:Legal compliance is an important part of certifying the correct behaviour of a business process. To be compliant, organizations might hard-wire regulations into processes, limiting the discretion that workers have when choosing what activities should be executed in a case. Worse, hard-wired compliant processes are difficult to change when laws change, and this occurs very often. This paper proposes a model-driven approach to process compliance and combines a) reference models from laws, and b) business process models. Both reference and process models are expressed in a declarative process language, The Dynamic Condition Response (DCR) graphs. They are subject to testing and verification, allowing law practitioners to check consistency against the intent of the law. Compliance checking is a combination of alignments between events in laws and events in a process model. In this way, a reference model can be used to check different process variants. Moreover, changes in the reference model due to law changes do not necessarily invalidate existing processes, allowing their reuse and adaptation. We exemplify the framework via the alignment of laws and business rules and a real contract change management process, Finally, we show how compliance checking for declarative processes is decidable, and provide a polynomial time approximation that contrasts NP complexity algorithms used in compliance checking for imperative business processes. All-together, this paper presents technical and methodological steps that are being used by legal practitioners in municipal governments in their efforts towards digitalization of work practices in the public sector.

Stefanie Rinderle-Ma,Karolin Winter,Janik-Vasily Benzin

DOI: https://doi.org/10.1016/j.is.2023.102210

2023-03-02

Abstract:Business process compliance is a key area of business process management and aims at ensuring that processes obey to compliance constraints such as regulatory constraints or business rules imposed on them. Process compliance can be checked during process design time based on verification of process models and at runtime based on monitoring the compliance states of running process instances. For existing compliance monitoring approaches it remains unclear whether and how compliance violations can be predicted, although predictions are crucial in order to prepare and take countermeasures in time. This work, hence, analyzes existing literature from compliance monitoring as well as predictive process monitoring and provides an updated framework of compliance monitoring functionalities. Moreover, it raises the vision of a comprehensive predictive compliance monitoring system that integrates existing predicate prediction approaches with the idea of employing PPM with different prediction goals such as next activity or remaining time for prediction and subsequent mapping of the prediction results onto the given set of compliance constraints (PCM). For each compliance monitoring functionality we elicit PCM system requirements and assess their coverage by existing approaches. Based on the assessment, open challenges and research directions realizing a comprehensive PCM system are elaborated.

Software Engineering,Artificial Intelligence

Elham Ramezani,Dirk Fahland,Jan Martijn van der Werf,Peter Mattheis

DOI: https://doi.org/10.1007/978-3-642-28115-0_43

2012-01-01

Abstract:The ever growing set of regulations and laws organizations have to comply to, introduces many new challenges. Current approaches that check for compliance by implementing controls in an existing information system (IS) decrease the maintainability of both the set of compliance rules and the IS. In this position paper, we advocate the separation of the compliance process from the organization’s business processes. We introduce a life cycle for the management of compliance rules. A separate compliance engine is used to define and check compliance rules independent from the existing IS within an organization.

Mustafa Hashmi,Guido Governatori

DOI: https://doi.org/10.1007/978-3-319-02922-1_8

2013-01-01

Abstract:Existing compliance management frameworks (CMFs) offer a multitude of compliance management functionalities for the modeling of specific norms for specific domain and compliance checking of normative requirements. This makes difficult for enterprises to decide on a framework suitable for their compliance requirements. Making a decision on the suitability requires a deep understanding of the functionalities of a framework. Gaining such an understanding is a difficult task which, in turn, requires specialised tools and methodologies for evaluation. Current compliance research lacks such tools and methodologies for evaluating CMFs. This paper reports a methodological evaluation of existing CMFs based on pre-defined evaluation criteria. Our evaluation highlights what existing CMFs can offer, and what they cannot. Also, it underpins various open questions and discusses the challenges in this direction.

Sachar Paulus,Ute Riemann

DOI: https://doi.org/10.48550/arXiv.1310.2832

2013-10-08

Computers and Society

Abstract:The need for process improvement is an important target that does affect as well the government processes. Specifically in the public sector there are specific challenges to face.New technology approaches within government processes such as cloud services are necessary to address these challenges. Following the current discussion of cloudification of business processes all processes are considered similar in regards to their usability within the cloud. The truth is, that neither all processes have the same usability for cloud services not do they have the same importance for a specific company.The most comprehensive process within a company is the corporate value chain. In this article one key proposition is to use the corporate value chain as the fundamental structuring backbone for all business process analysis and improvement activities. It is a pre-requisite to identify the core elements of the value chain that are essential for the individual companys business and the root cause for any company success. In this paper we propose to use the company-specific value-creation for the cloud-affinity and the cloud-usability of a business process in public sector considering the specific challenges of addressing processes in cloud services. Therefor it is necessary to formalize the way the processes with its interdependencies are documented in context of their company-specific value chain (as part of the various deployment- and governance alternatives. Moreover, it is essential in the public sector to describe in detail the environmental and external restrictions of processes. With the use of this proposed methodology it becomes relatively easy to identify cloud-suitable processes within the public sector and thus optimize the public companies value generation tightly focused with the use of this new technology.

Sérgio Guerreiro

DOI: https://doi.org/10.1108/bpmj-02-2020-0072

2020-07-14

Business Process Management Journal

Abstract:Purpose The purposes of this paper are: (1) to identify what types of business process operation controllers are discussed in literature and how can they be classified in order to establish the available body of knowledge in the literature, and then, (2) to identify which concepts are relevant for business process operation control and how are these concepts related in order to offer a reference model for assessing how well are control layers enforced in the dynamic stable nature of an enterprise' business processes operation. Design/methodology/approach One cycle of the circular framework for literature review as proposed by Vom Brocke et al. (2009) is followed. Five stages are comprised: (1) definition of review scope (Section 1 and 2), (2) conceptualization of topic (Section 3), (3) literature search (Section 4), (4) literature analysis and synthesis (Section 5), and (5) definition of a research agenda (Section 6 that also concludes the paper). Vom Brocke, J., Simons, A., Niehaves, B., Niehaves, B., Reimer, K., Plattfaut, R., and Cleven, A. (2009), “Reconstructing the giant: on the importance of rigour in documenting the literature search process”, ECIS 2009 Proceedings, Vol. 161. Findings Results indicate that (1) many studies exist in the literature, but no integrated knowledge is proposed, hindering the advance of knowledge in this field, (2) a knowledge gap exists between the implemented solutions and the conceptualization needed to generalize the solution to other contexts. Also, the ontology proposed provides a reference model for assessing the maturity of the business process control operation. Research limitations/implications The contents contained in the paper needs to be further deepened to include the concepts of “business process management” and “business process mining”, as well as a semantic equivalence study between concepts can integrate better this conceptual framework and identify similarities. Then, the relationship between industries and dynamically stable business processes operation concepts have not yet been fully investigated. Thirdly, the atypical curve of interest that business processes operational control has been receiving in literature is not fully understood. Practical implications Some example applications that could benefit from this ontology are (1) security policy for business processes fine grained access control; (2) business processes enforced with decentralized policies, e.g. blockchain; (3) business process compliance and change; or (4) intelligent enterprise decision-making process, e.g. using AI trained neural network to support the human decision to choose if a control actuation is positive or negative instead of relying only on human-based decisions. Social implications We understand that business process operation is a dynamically stable system, where steady motion is achieved with the continuous imposition of actor's actions. Therefore, all the work that contribute to the development of knowledge regarding the actor's actions in their execution environment offer the ability to optimize, and/or reengineering, business processes delivering more social value or better social conditions. Originality/value In the best of our knowledge this work is unique in the sense that integrates a set of concepts that is rarely, or never, combined. Table 3 corroborates this result.

management,business

Jannis Kiesel,Elias Grünewald

2024-06-14

Abstract:Ever-increasingly complex business processes are enabled by loosely coupled cloud-native systems. In such fast-paced development environments, data controllers face the challenge of capturing and updating all personal data processing activities due to considerable communication overhead between development teams and data protection staff. To date, established business process management methods generate valuable insights about systems, however, they do not account for all regulatory transparency obligations. For instance, data controllers need to record all information about data categories, legal purpose specifications, third-country transfers, etc. Therefore, we propose to bridge the gap between business processes and application systems by providing three contributions that assist in modeling, discovering, and checking personal data transparency through a process-oriented perspective. We enable transparency modeling for relevant business activities by providing a plug-in extension to BPMN featuring regulatory transparency information. Furthermore, we utilize event logs to record regulatory transparency information in realistic cloud-native systems. On this basis, we leverage process mining techniques to discover and analyze personal data flows in business processes, e.g., through transparency conformance checking. We design and implement prototypes for all contributions, emphasizing the appropriate integration and modeling effort required to create business-process-oriented transparency. Altogether, we connect current business process engineering techniques with regulatory needs as imposed by the GDPR and other legal frameworks.

Software Engineering

Barbara Gallina,Gergő László Steierhoffer,Thomas Young Olesen,Eszter Parajdi,Mike Aarup

DOI: https://doi.org/10.1002/smr.2728

2024-09-01

Journal of Software Evolution and Process

Abstract:An ontology for mastering the cognitive complexity of the compliance problem, when heterogeneous and geographically distributed knowledge‐driven organizational structures (legal department, standardization department, etc.) need to communicate. We provide (1) an illustration of the usefulness of our ontology in the context of pumps manufacturing and safety process compliance with the Machinery Directive andharmonized standards; (2) a set of competency questions that translate competencies within the departments; and (3) a set of queries that retrieve answers to the questions and populate a justification for compliance, generated by instantiating a novel argumentation pattern. Legislations impose requirements on the manufacturing of machinery. Typically, these requirements are interpreted and refined by (domain‐specific) technical committees and published in terms of standards. At the company level, these refined requirements are further interpreted, refined, and documented in terms of internal processes. Due to the proliferation of (interdependent) legislations and standards and the consequent increase of the cognitive complexity, at the company level, manual knowledge management is becoming more and more challenging and requires automated decision support. Despite the availability of approaches aimed at automating the decision support, no one offers a satisfactory solution. In this paper, we focus on knowledge management for process compliance and we propose a novel structured ontology. Our ontology aims at mastering (by dividing and conquering via tracing) the cognitive complexity of the compliance problem, when heterogeneous and sometimes geographically distributed knowledge‐driven organizational structures (legal department, standardization department, etc.) are involved and need to communicate. We also illustrate the potential usefulness of our proposed ontology in the context of pumps manufacturing and safety process compliance with the Machinery Directive and related harmonized standards including EN 809:1998+A1. Specifically, first, we identify the competencies that characterize departments and interdepartment interactions, then we formulate an initial set of competency questions that translate those identified competencies, then we show how the ontology can be exploited to retrieve the answers to the questions and how the answers can be exploited to build a justification for compliance. Precisely, we propose an argumentation pattern given in two different argumentation notations, and we show how it can be partly instantiated by exploiting the returned answers. The illustration also partly covers the compliance with the Machinery Regulation, expected to replace the Machinery Directive by January 2027. Finally, we sketch our intended future work.

computer science, software engineering

Stephen Pope

DOI: https://doi.org/10.69554/uwfw1045

2022-03-01

Abstract:Financial compliance management continues to complexify between the addition of ponderous quantities of new regulatory guidance and the development and exchange of new, fairly unregulated asset types. Contrasting these monumental industry shifts against the frequent inertia of company positions toward compliance makes it clear that modernisation requires both the addition of new tools and of new ways of building relationships. This paper discusses the importance of instilling a compliance focus within an organisation, through the use of technology, the conscious development of a compliance-driven culture and the intentional engagement and connection between compliance professionals and other members of the organisational leadership team. In addition, it outlines the key components most likely to yield success when implementing new regulatory compliance tools, and how the addition of such tools can create bandwidth for both expanding the compliance function and creating greater value through strategic compliance-related decisions. Modernising compliance includes using compliance as a tool for horizon planning and making decisions with long-term impact, as well as creating deeper, more trust-driven bonds with consumers.

Yunmei Wu,Benjamin van Rooij

DOI: https://doi.org/10.1007/s10551-019-04234-4

IF: 6.331

2019-06-20

Journal of Business Ethics

Abstract:Abstract Studying compliance, in terms of the business responses to legal rules, is notoriously difficult. This paper focuses on the difficulty of capturing the behavioral response itself, rather than on difficulties in explaining compliance and isolating particular factors of influence on it. The paper argues that existing approaches to capture such compliance, using surveys and governmental data, run the risk of failing to capture compliance as it occurs in the reality of day-to-day business responses to the law. It does so by means of a unique ethnographic approach to study compliance. Drawing from data of deep participant observation about responses to legal rules in two small businesses, the paper finds that in this context there is Compliance Dynamism. This means that compliance varies for different rules, it varies over time, and businesses learn from one response to the law to the next on a daily basis. Compliance is also situational, and there is an Indirect Observer Effect, where the way compliance is measured, especially when using data derived from inspections, shapes what compliance is observed and what is not. Therefore, compliance should be captured not as a singular state but as a string of reiterative processes that occur in their situational context. And this fundamentally challenges most existing methods to capture compliance and thus our understanding of what compliance occurs and what may shape it. In its conclusion, the paper draws out the implications this has for studies that seek to find simple and usable findings about compliance.

business,ethics

Hongmei Cao,Xi Chen,Liang Zhang,Tiange Zhang,Xiaochun Xiao

DOI: https://doi.org/10.1007/s11761-022-00347-3

2022-01-01

Service Oriented Computing and Applications

Abstract:Enterprises rely on their process-aware information system (PAIS) to conduct business. Therefore, appropriately responding to environmental changes is vital for enterprises to maintain competitiveness. However, one type of change, namely the long-tailed change (LTC), has been overlooked by traditional business process management practice because of its variety and infrequency. Just as the long-tailed effect reveals, the impact of LTC on enterprise PAIS might be no less dramatic than the impact of high-frequency changes. Since business process models are core assets of an enterprise, it is profitable to reuse them efficiently while tackling the conflict of flexibility and applicability in a timely way. This paper proposes a process model maintenance approach to responding to LTCs. By supporting business analysts to add syntax-correct annotations to existing business process models, the approach achieves an agile, error-free, and low-cost mechanism for dealing with LTCs.

Stijn Goedertier,Jan Vanthienen

DOI: https://doi.org/10.1007/11837862_2

2006-01-01

Abstract:The sequence and timing constraints on the activities in business processes are an important aspect of business process compliance. To date, these constraints are most often implicitly transcribed into control-flow-based process models. This implicit representation of constraints, however, complicates the verification, validation and reuse in business process design. In this paper, we investigate the use of temporal deontic assignments on activities as a means to declaratively capture the control-flow semantics that reside in business regulations and business policies. In particular, we introduce PENELOPE, a language to express temporal rules about the obligations and permissions in a business interaction, and an algorithm to generate compliant sequence-flow-based process models that can be used in business process design.

Guy Redding,Marlon Dumas,Arthur H. M. ter Hofstede,Adrian Iordachescu

DOI: https://doi.org/10.1007/s11761-010-0065-4

2010-01-01

Abstract:Mainstream business process modelling techniques often promote a design paradigm wherein the activities that may be performed within a case, together with their usual execution order, form the backbone on top of which other aspects are anchored. This Fordist paradigm, while effective in standardised and production-oriented domains, breaks when confronted with processes in which case-by-case variations and exceptions are the norm. We contend that the effective design of flexible processes calls for a substantially different modelling paradigm. Motivated by requirements from the human services domain, we explore the hypothesis that a framework consisting of a small set of coordination concepts, combined with established object-oriented modelling principles, provides a suitable foundation for designing highly flexible processes. Several human service delivery processes have been designed using this framework, and the resulting models have been used to realise a system to support these processes in a pilot environment.

J. Kotremba,S. Raß,R. Singer

DOI: https://doi.org/10.48550/arXiv.1309.3126

2014-05-18

Abstract:Commercially available business process management systems (BPMS) still suffer to support organizations to enact their business processes in an effective and efficient way. Current BPMS, in general, are based on BPMN 2.0 and/or BPEL. It is well known, that these approaches have some restrictions according modeling and immediate transfer of the model into executable code. Recently, a method for modeling and execution of business processes, named subject-oriented business process management (S-BPM), gained attention. This methodology facilitates modeling of any business process using only five symbols and allows direct execution based on such models. Further on, this methodology has a strong theoretical and formal basis realizing distributed systems; any process is defined as a network of independent and distributed agents - i.e. instances of subjects - which coordinate work through the exchange of messages. In this work, we present a framework and a prototype based on off-the-shelf technologies as a possible realization of the S-BPM methodology. We can prove and demonstrate the principal architecture concept; these results should also stimulate a discussion about actual BPMS and its underlying concepts.

Multiagent Systems,Software Engineering

Nick Russell,Arthur ter Hofstede

DOI: https://doi.org/10.1007/978-3-642-03121-2_2

2009-01-01

Abstract:The Business Process Management domain has evolved at a dramatic pace over the past two decades and the notion of the business process has become a ubiquitous part of the modern business enterprise. Most organizations now view their operations in terms of business processes and manage these business processes in the same way as other corporate assets. In recent years, an increasingly broad range of generic technology has become available for automating business processes. This is part of a growing trend in the software engineering field throughout the past 40 years, where aspects of functionality that are potentially reusable on a widespread basis have coalesced into generic software components. Figure 2.1 illustrates this trend and shows how software systems have evolved from the monolithic applications of the 1960s developed in their entirety often by a single development team to today’s offerings that are based on the integration of a range of generic technologies with only a small component of the application actually being developed from scratch. In the 1990s, generic functionality for the automation of business processes first became commercially available in the form of workflow technology and subsequently evolved in the broader field of business process management systems (BPMS). This technology alleviated the necessity to develop process support within applications from scratch and provided a variety of off-the-shelf options on which these requirements could be based. The demand for this technology was significant and it is estimated that by 2000 there were well over 200 distinct workflow offerings in the market, each with a distinct conceptual foundation. Anticipating the difficulties that would be experienced by organizations seeking to utilize and integrate distinct workflow offerings, the Workflow Management Coalition (WfMC), an industry group formed to advance technology in this area, proposed a standard reference model for workflow technology with an express desire to seek a common platform for achieving workflow interoperation.